ISO 27001 Clause 9.2 Internal audit

Leave a Comment / ISO 27001 ISMS LA, Knowledge Base / By

Activity

ISO 27001 Clause 9.2 Internal audit, The organization conducts internal audits to supply information on conformity of the ISMS to the wants.

Implementation Guideline

Evaluating an ISMS at planned intervals by means of internal audits provides assurance of the status of the ISMS to top management. Auditing is characterized by variety of principles: integrity; fair presentation; due professional care; confidentiality; independence; and evidence-based approach (see ISO 19011). Internal audits provide information on whether the ISMS conform to the organization’s own requirements for its ISMS also on the wants in ISO/IEC 27001.

Related Products:ISO 27001 Lead Auditor Training & Certification
The organization’s own requirements include:
  1. Requirements stated within the information security policy and procedures;
  2. Requirements produced by the framework for setting Information security objectives, including outcomes of the danger treatment process;
  3. Legal and contractual requirements;
  4. Requirements on the documented information.

Auditors also evaluate whether the ISMS is effectively implemented and maintained. An audit program describes the general framework for a group of audits, planned for specific time frames and directed towards specific purposes. This is often different from an audit plan, which describes the activities and arrangements for a selected audit. Audit criteria are a group of policies, procedures or requirements used as a reference against which audit evidence is compared, i.e. the audit criteria describe what the auditor expects to be in situation. An internal audit can identify nonconformities, risks and opportunities. Nonconformities are managed consistent with requirements. Risks and opportunities are managed consistent with requirements. The organization is required to retain documented information about audit program and audit results.

Managing an audit program

An audit program defines the structure and responsibilities for planning, conducting, reporting and following abreast of individual audit activities. intrinsically it should make sure that audits conducted are appropriate, have the proper scope, minimize the impact on the operations of the organization and maintain the required quality of audits. An audit program should also make sure the competence of audit teams, appropriate maintenance of audit records, and therefore the monitoring and review of the operations, risks and effectiveness of audits. Further, an audit program should make sure that the ISMS (i.e. all relevant processes, functions and controls) is audited within a specified time frame. Finally, an audit program should include documented information about types, duration, locations, and schedule of the audits.

The extent and frequency of internal audits should be supported the dimensions and nature of the organization also as on the character , functionality, complexity and therefore the level of maturity of the ISMS (risk-based auditing).The effectiveness of the implemented controls should be examined within the scope of internal audits.

An audit program should be designed to make sure coverage of all necessary controls and will include evaluation of the effectiveness of selected controls over time. Key controls (according to the audit program) should be included in every audit whereas controls implemented to manage lower risks could also be audited less frequently. The audit program should also consider that processes and controls should are operational for a few time to enable evaluation of suitable evidence.

Internal audits concerning an ISMS are often performed effectively as a neighborhood of, or together with, other internal audits of the organization. The audit program can include audits associated with one or more management system standards, conducted either separately or together. An audit program should include documented information about: audit criteria, audit methods, selection of audit teams, processes for handling confidentiality, information security, health and safety provisions for auditors, and other similar matters.

Competence and evaluation of auditors

Regarding competence and evaluation of auditors, the organization should:

  1. Identify competence requirements for its auditors;
  2. Select internal or external auditors with the acceptable competence;
  3. Have a process in place for monitoring the performance of auditors and audit teams; and
  4. Include personnel on internal audit teams that have appropriate sector specific and knowledge security knowledge.

Auditors should be selected considering that they should to be competent, independent, and adequately trained. Selecting internal auditors are often difficult for smaller companies. If the required resources and competence aren’t available internally, external auditors should be appointed. When organizations use external auditors, they ought to make sure that they have acquired enough knowledge about the context of the organization. This information should be supplied by internal staff.

Also Read:ISO 27001 Clause 9.1 Performance evaluation Monitoring, measurement, analysis & evaluation

Organizations should consider that internal employees acting as internal auditors are often ready to perform detailed audits considering the organization’s context, but might not have enough knowledge about performing audits. Organizations should then recognize characteristics and potential shortcomings of internal versus external auditors and establish suitable audit teams with the required knowledge and competence.

Performing the audit

When performing the audit, the audit team leader should prepare an audit plan considering results of previous audits and therefore the got to follow abreast of previously reported nonconformists and unacceptable risks. The audit plan should be retained as documented information and will include criteria, scope and methods of the audit.

The audit team should review:
  1. Adequacy and effectiveness of processes and determined controls;
  2. Fulfillment of data security objectives;
  3. Compliance with requirements defined in ISO/IEC 27001:2013, Clauses 4 to 10;
  4. Compliance with the organization’s own information security requirements;
  5. Consistency of the Statement of Applicability against the result of the knowledge security risk treatment process;
  6. Consistency of the particular information security risk treatment plan with the identified assessed risks and therefore the risk acceptance criteria;
  7. Relevance (considering organization’s size and complexity) of management review inputs and outputs;
  8. Impacts of management review outputs (including improvement needs) on the organization.

The extent and reliability of obtainable monitoring over the effectiveness of controls as produced by the ISMS (see 9.1) may allow the auditors to scale back their own evaluation efforts, provided they need confirmed the effectiveness of the measurement methods.

If the result of the audit includes nonconformities, the audit should prepare an action plan for every nonconformity to be agreed with the audit team leader.

A follow-up action plan typically includes:
  1. Description of the detected nonconformity;
  2. Description of the cause(s) of nonconformity;
  3. Description of short term correction and long run corrective action to eliminate a detected nonconformity within an outlined time frame;
  4. The persons liable for implementing the plan.

Audit reports, with audit results, should be distributed to top management. Results of the previous audits should be reviewed and therefore the audit program adjusted to raised manage areas experiencing higher risks thanks to nonconformity.ISO 27001 Clause 9.2 Internal audit

Other information

Further information are often found in ISO 19011, which provides general guidance on auditing management systems, including the principles of auditing, managing an audit program and conducting management system audits. It also provides guidance on the evaluation of competence of persons or group of individuals involved within the audit, including the person managing the audit program , auditors and audit teams.

Also, additionally to the guidance contained in ISO 19011, further information are often found in:

  1. a) (ISO/IEC 270071), which provides specific guidance on managing an ISMS audit program , on conducting the audits, and on the competence of ISMS auditors; and
  2. b) (ISO/IEC 270081), which provides guidance on assessing information security controls.

Questions related to this topic

  1. Explain ISO 27001 Clause 9.2 Internal audit ?
  2. what is benefits of ISO 27001 Clause 9.2 Internal audit?

ISO 27001 Requirements

Clause 4.2 Understanding the needs and expectations of interested parties 
Clause 4.4 Information security management system
Clause 4.3 Determining the scope of the information security management system
Clause 5.1 Leadership and commitment
Clause 5.2 Policy
Clause 5.3 Organizational roles, responsibilities and authorities 
Clause 6.1 Actions to address risks and opportunities
Clause 6.1.2 Information security risk assessment process
Clause 6.1.3 Information security risk treatment
Clause 6.2 Information security objectives & planning
Clause 7.1 Resources
Clause 7.2 Competence
Clause 7.3 Awareness
Clause 7.4 Communication
Clause 7.5 Documented information Implementation Guideline
Clause 8.1 Operational planning & control
Clause 8.2 Information security risk assessment
Clause 8.3 Information security risk treatment
Clause 9.1 Performance evaluation Monitoring, measurement, analysis & evaluation
Clause 9.3 Management review
Clause 10.1 Non conformity and corrective action
Clause 10.2 Continual Improvement 

ISO 27001 Annex A Controls

Annex A.5 Information Security Policies
Annex A.6 Organization of Information Security
Annex A.6.2 Mobile Devices and Teleworking
Annex A.7 Human Resource Security
Annex A.7.2 During Employment
Annex A.7.3 Termination and Change of Employment
Annex A.8 Asset Management
Annex A.8.1.3 Acceptable Use of Assets & A.8.1.4 Return of Assets
Annex A.8.2 Information Classification
Annex A.8.2.2 Labeling of Information & A.8.2.3 Handling of Assets
Annex A.8.3 Media Handling
Annex A.9 Access Control
Annex A.9.1.2 Access to Networks and Network Services
Annex A.9.2 User Access Management
Annex A.9.2.3 Management of Privileged Access Rights  
Annex A.9.2.4 Management of Secret Authentication Information of Users
Annex A.9.2.5 Review of User Access Rights 
Annex A.9.2.6 Removal or Adjustment of Access Rights
Annex A.9.3 User Responsibilities
Annex A.9.4 System and Application Access Control
Annex A.9.4.4 Use of Privileged Utility Programs 
Annex A.9.4.5 Access Control to Program Source Code
Annex A.10 Cryptography
Annex A.11 Physical and Environmental Security
Annex A.11.2 Equipment
Annex A.11.1.3 Securing Offices, Rooms and Facilities
Annex A.11.1.4 Protecting Against External and Environmental Threats
Annex A.11.1.5 Working in Secure Areas
Annex A.11.1.6 Delivery and Loading Areas
Annex A.11.2.4 Equipment Maintenance
Annex A.11.2.5 Removal of Assets
Annex A.11.2.6 Security of Kit and Assets Off-Premises
Annex A.11.2.7 Secure Disposal or Re-use of Equipment
Annex A.11.2.8 Unattended User Equipment
Annex A.11.2.9 Clear Desk and Clear Screen Policy
Annex A.12 Operations Security
Annex A.12.2 Protection from Malware
Annex A.12.3 Backup
Annex A.12.4 Logging and Monitoring
Annex A.12.5 Control of Operational Software
Annex A.12.6 Technical Vulnerability Management
Annex A.12.7 Information Systems Audit Considerations
Annex A.13 Communications Security
Annex A.13.2 Information Transfer
Annex A.13.2.3 Electronic Messaging
Annex A.13.2.4 Confidentiality or Non-Disclosure Agreements
Annex 14 System Acquisition, Development and Maintenance
Annex A.14.1.2 Securing Application Services on Public Networks
Annex A.14.1.3 Protecting Application Services Transactions
Annex A.14.2 Security in Development and Support Processes
Annex A.14.2.3 Technical Review of Applications after Operating Platform Changes
Annex A.14.2.4 Restrictions on Changes to Software Packages
Annex A.14.2.5 Secure System Engineering Principles
Annex A.14.2.6 Secure Development Environment
Annex A.14.2.7 Outsourced Development
Annex A.14.2.8 System Security Testing
Annex A.14.2.9 System Acceptance Testing
Annex A.14.3 Test data
Annex A.15 Supplier Relationships
Annex A.15.1.2 Addressing Security Within Supplier Agreements
Annex A.15.1.3 Information and Communication Technology Supply Chain
Annex A.15.2 Supplier Service Delivery Management
Annex A.16 Information Security Incident Management
Annex A.16.1.2 Reporting Information Security Events
Annex A.16.1.3 Reporting Information Security Weaknesses
Annex A.16.1.4 Assessment of and Decision on Information Security Events
Annex A.16.1.5 Response to Information Security Incidents
Annex A.16.1.6 Learning from Information Security Incidents
Annex A.16.1.7 Collection of Evidence
Annex A.17 Information Security Aspects of Business Continuity Management
Annex A.17.1.3 Verify, Review and Evaluate Information Security Continuity
Annex A.18 Compliance
Annex A.18.1.3 Protection of Records
Annex A.18.1.4 Privacy and Protection of Personally Identifiable Information
Annex A.18.1.5 Regulation of Cryptographic Controls
Annex 18.2 Information Security Reviews

About ISO 27002

This Blog Article is posted by

Infosavvy, 5B 306 Riverside Greens, Panvel, Raigad 410206 Maharashtra, India
Contact us – www.infocerts.com
https://goo.gl/maps/mHkyURHmeFXyGiVw5

Leave a Comment

Your email address will not be published. Required fields are marked *

Open Whatsapp chat
Whatsapp Us
Chat with us for faster replies.